refactor: convert puppetserver compilers to deployment with configmap integration (#57)

- Convert StatefulSet to Deployment for better scaling flexibility
- Add initContainer to copy configmaps to shared RWX volume (10GB)
- Integrate puppetserver-compiler-config configmap for environment variables
- Configure configMapGenerator with stable names (disableNameSuffixHash)
- Update HPA to target Deployment instead of StatefulSet
- Simplify puppetboard SSL config to skip verification for internal connections

Reviewed-on: #57
This commit was merged in pull request #57.
This commit is contained in:
2026-03-20 20:47:36 +11:00
parent f25117ab7f
commit c2d23aaeae
9 changed files with 184 additions and 35 deletions
@@ -12,9 +12,7 @@ metadata:
data:
PUPPETDB_HOST: "puppetdb"
PUPPETDB_PORT: "8081"
PUPPETDB_SSL_VERIFY: "/opt/puppetboard/ssl/ca.pem"
PUPPETDB_KEY: "/opt/puppetboard/ssl/puppetboard.key"
PUPPETDB_CERT: "/opt/puppetboard/ssl/puppetboard.pem"
PUPPETDB_SSL_SKIP_VERIFY: "True"
LOGLEVEL: "debug"
PUPPETDB_TIMEOUT: "20"
UNRESPONSIVE_HOURS: "3"
@@ -1,5 +1,5 @@
apiVersion: apps/v1
kind: StatefulSet
kind: Deployment
metadata:
annotations:
reloader.stakater.com/auto: "true"
@@ -11,12 +11,10 @@ metadata:
name: puppetserver-compiler
namespace: puppet
spec:
podManagementPolicy: OrderedReady
selector:
matchLabels:
app.kubernetes.io/component: puppetserver-compilers
app.kubernetes.io/name: puppetserver
serviceName: puppet-headless
template:
metadata:
labels:
@@ -41,26 +39,14 @@ spec:
ports:
- containerPort: 8140
name: puppetserver
envFrom: null
envFrom:
- configMapRef:
name: puppetserver-compiler-config
env:
- name: OPENVOXSERVER_HOSTNAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: OPENVOXSERVER_PORT
value: "8140"
- name: DNS_ALT_NAMES
value: puppetserver-compiler-0,puppetserver-compiler-1,puppetserver-compiler-2,puppetserver-compiler-3,puppetserver-compiler-4,puppet-headless,puppet,puppet.k8s.syd1.au.unkin.net
- name: OPENVOXDB_SERVER_URLS
value: https://puppetdb:8081
- name: CA_ENABLED
value: "false"
- name: CA_HOSTNAME
value: puppetca
- name: CA_PORT
value: "8140"
- name: PUPPETSERVER_JAVA_ARGS
value: -Xms1024m -Xmx3072m -Dcom.sun.management.jmxremote.port=31000 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false
livenessProbe:
failureThreshold: 3
periodSeconds: 30
@@ -109,6 +95,36 @@ spec:
name: eyaml-keys
readOnly: true
initContainers:
- name: copy-configmaps
image: busybox:1.35
command:
- sh
- -c
args:
- |
echo "Copying configmap files to shared volume..."
mkdir -p /etc/puppetlabs/puppet
cp /configmaps/puppet.conf /etc/puppetlabs/puppet/puppet.conf
cp /configmaps/puppetdb.conf /etc/puppetlabs/puppet/puppetdb.conf
cp /configmaps/autosign.conf /etc/puppetlabs/puppet/autosign.conf
cp /configmaps/cobbler-enc /etc/puppetlabs/puppet/cobbler-enc
chmod +x /etc/puppetlabs/puppet/cobbler-enc
echo "Configmap files copied successfully"
volumeMounts:
- mountPath: /etc/puppetlabs/puppet/
name: puppet-puppet-volume
- mountPath: /configmaps/puppet.conf
name: compiler-puppet-conf
subPath: puppet.conf
- mountPath: /configmaps/puppetdb.conf
name: compiler-puppetdb-conf
subPath: puppetdb.conf
- mountPath: /configmaps/autosign.conf
name: compiler-autosign-conf
subPath: autosign.conf
- mountPath: /configmaps/cobbler-enc
name: puppet-cobbler-enc
subPath: cobbler-enc
- args:
- mkdir -p /etc/puppetlabs/puppet/eyaml/keys;
mkdir -p /etc/puppetlabs/code/environments;
@@ -165,20 +181,24 @@ spec:
- name: puppet-code-volume
persistentVolumeClaim:
claimName: puppetserver-code-shared
- name: puppet-puppet-volume
persistentVolumeClaim:
claimName: puppetserver-compiler-config-shared
- name: eyaml-keys
secret:
secretName: eyaml-keys
defaultMode: 0600
updateStrategy:
- name: compiler-puppet-conf
configMap:
name: compiler-puppet.conf
- name: compiler-puppetdb-conf
configMap:
name: compiler-puppetdb.conf
- name: compiler-autosign-conf
configMap:
name: compiler-autosign.conf
- name: puppet-cobbler-enc
configMap:
name: puppet-cobbler-enc
strategy:
type: RollingUpdate
volumeClaimTemplates:
- metadata:
annotations: null
name: puppet-puppet-volume
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: cephrbd-fast-delete
@@ -11,7 +11,7 @@ metadata:
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: StatefulSet
kind: Deployment
name: puppetserver-compiler
minReplicas: 2
maxReplicas: 5
+23 -1
View File
@@ -31,4 +31,26 @@ resources:
- service_puppetca.yaml
- service_puppetboard.yaml
- service_puppetdb.yaml
- statefulset_puppetserver-compiler.yaml
- deployment_puppetserver-compiler.yaml
configMapGenerator:
- name: compiler-autosign.conf
files:
- resources/compiler/autosign.conf
options:
disableNameSuffixHash: true
- name: compiler-puppet.conf
files:
- resources/compiler/puppet.conf
options:
disableNameSuffixHash: true
- name: compiler-puppetdb.conf
files:
- resources/compiler/puppetdb.conf
options:
disableNameSuffixHash: true
- name: puppet-cobbler-enc
files:
- resources/cobbler-enc
options:
disableNameSuffixHash: true
@@ -106,3 +106,21 @@ spec:
requests:
storage: 1Gi
storageClassName: cephfs-raid6-delete
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
app.kubernetes.io/component: puppetserver-compilers
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetserver-compiler-config-shared
namespace: puppet
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 10Gi
storageClassName: cephfs-raid6-delete
+50
View File
@@ -0,0 +1,50 @@
#!/usr/bin/env -S uv run --quiet --script
# /// script
# requires-python = ">=3.11"
# dependencies = ['pyyaml','requests']
# ///
"""
External Node Classifier (ENC) for Puppet.
If the environment specified in the YAML file is 'testing',
the environment is not included in the output.
"""
import sys
import yaml
import requests
def fetch_enc_data(cobbler_url: str, hostname: str) -> str:
"""
Fetches and modifies ENC data from a given URL to ensure classes are in list format.
"""
url = f"{cobbler_url}/cblr/svc/op/puppet/hostname/{hostname}"
try:
response = requests.get(url, verify='/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem')
response.raise_for_status()
except requests.RequestException as e:
sys.exit(f"Request failed: {e}")
data = yaml.safe_load(response.text)
data["parameters"] = data.get("parameters", {})
# Ensure 'classes' is in the desired list format
if "classes" in data:
if isinstance(data["classes"], dict):
data["parameters"]["enc_role"] = list(data["classes"].keys())
data["classes"] = list(data["classes"].keys())
else:
data["parameters"]["enc_role"] = list(data["classes"])
data["classes"] = list(data["classes"])
if "environment" in data:
data["parameters"]["enc_env"] = data["environment"]
if data["environment"] == "testing":
del data["environment"]
return yaml.dump(data)
if __name__ == "__main__":
if len(sys.argv) != 2:
sys.exit(f"Usage: {sys.argv[0]} <hostname>")
print(fetch_enc_data("https://cobbler.main.unkin.net", sys.argv[1]))
@@ -0,0 +1,15 @@
# Autosign all nodes from these subnets
198.18.13.0/24
198.18.14.0/24
198.18.15.0/24
198.18.16.0/24
198.18.17.0/24
198.18.20.0/24
198.18.24.0/24
198.18.25.0/24
198.18.26.0/24
198.18.27.0/24
198.18.28.0/24
198.18.29.0/24
# Autosign all nodes from these domains
*.main.unkin.net
@@ -0,0 +1,23 @@
[main]
server = puppetserver-compiler
serverport = 8140
dns_alt_names = puppetserver-compiler,puppet-headless,puppet,puppet.k8s.syd1.au.unkin.net
[server]
vardir = /opt/puppetlabs/server/data/puppetserver
logdir = /var/log/puppetlabs/puppetserver
rundir = /var/run/puppetlabs/puppetserver
pidfile = /var/run/puppetlabs/puppetserver/puppetserver.pid
codedir = /etc/puppetlabs/code
environmentpath = /etc/puppetlabs/code/environments
[master]
node_terminus = exec
external_nodes = /usr/local/bin/cobbler-enc
autosign = /etc/puppetlabs/puppet/autosign.conf
default_manifest = /etc/puppetlabs/code/environments/develop/manifests
default_environment = develop
storeconfigs = true
storeconfigs_backend = puppetdb
reports = puppetdb
usecacheonfailure = false
@@ -0,0 +1,3 @@
[main]
server_urls = https://puppetdb.k8s.syd1.au.unkin.net
soft_write_failure = true